Description

The order_id is calculated as sha256(secret_hash || initiator || redeemer || timelock). All four inputs are present in a pending transaction’s calldata, so they are visible to any mempool listener. Additionally, initiate_on_behalf allows any address to supply these same values without proving the ownership of initiator.

An attacker can therefore copy the four fields from a victim’s pending swap and submit initiate_on_behalf with identical fields and amount = 1. If their transaction confirms first, the registry stores a dust order under that order_id, causing the victim’s later transaction to abort with EDuplicateOrder.

Impact

During high-volatility windows or trading opportunities, the attacker can deny a competitor access to an arbitrage opportunity at negligible cost. A potential exploit scenario is as follows:

1. Spot a lucrative cross-chain price gap; watch the mempool for victims opening HTLCs to execute the arb.

2. Copy their four pre-image fields and front-run with initiate_on_behalf dust order, blocking their swap via EDuplicateOrder.

3. With their liquidity frozen, capture the arbitrage window yourself

Recommendations

Add an unpredictable salt (e.g., a fresh UID or nonce) to the order_id preimage.

Remediation

This issue has been acknowledged by Garden Finance, and a fix was implemented in commit e85e06c9↗.